Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OpenProcess: Is it possible to get ERROR_ACCESS_DENIED for PROCESS_QUERY_LIMITED_INFORMATION but not for SYNCHRONIZE?

Tags:

c

process

winapi

I'm using OpenProcess to get the process handle from a PID. The two tasks the function should do is:

  • must have: wait for the process termination, done with WaitForSingleObject (process, INFINITE)
  • if possible: get exit code, done with GetExitCodeProcess (process, &ret)

Question: Is it possible to get ERROR_ACCESS_DENIED for PROCESS_QUERY_LIMITED_INFORMATION but not for SYNCHRONIZE? If yes: which scenario?

My full code for reference:

/* wait for a pid to end and return its exit code
   error codes are returned as negative value
*/
int
waitpid (const int pid)
{
    int status = 0;
    HANDLE process = NULL;
    DWORD ret;

    /* windows will wait for the own process to end... abort */
    if (pid == _getpid ()) {
        status = 0 - ERROR_INVALID_DATA;
        return status;
    }
    /* get process handle */
    process = OpenProcess (SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid);
    /* if we don't get access to query the process' exit status try to get at least
        access to the process end (needed for WaitForSingleObject)
    */
    if (!process && GetLastError () == ERROR_ACCESS_DENIED) {
        OpenProcess (SYNCHRONIZE, FALSE, pid);
        status = -2;
    }
    if (process) {
        /* wait until process exit */
        ret = WaitForSingleObject (process, INFINITE);
        if (ret == WAIT_FAILED) {
            status = 0 - GetLastError ();
        /* get exit code, if possible */
        } else if (status != -2) { 
            if (!GetExitCodeProcess (process, &ret)) {
                status = 0 - GetLastError ();
            } else {
                status = (int) ret;
            }
        }
        CloseHandle (process);
    } else {
        status = 0 - GetLastError ();
    }
    return status;
}

(if you have any comments to the code: use the comments and share your thoughts)

like image 292
Simon Sobisch Avatar asked Nov 19 '16 22:11

Simon Sobisch


1 Answers

yes, this is possible, because PROCESS_QUERY_LIMITED_INFORMATION and SYNCHRONIZE absolute independent access. however before open process - you need (if possible) enable SE_DEBUG_PRIVILEGE - with this privilege you can open any process (except system protected) independent from process DACL. howver even protected processes can be opened with PROCESS_QUERY_LIMITED_INFORMATION

i do fast check for process access mask on win 10 (1607)

----------------------
0000000000000004 System

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-32-544 Administrators

----------------------
0000000000000110 smss.exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-32-544 Administrators

----------------------
0000000000000170 csrss.exe

T FL AcessMsK Sid
0 00 00020C79 S-1-5-18 SYSTEM

----------------------
00000000000001B4 wininit.exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-32-544 Administrators

----------------------
00000000000001C0 csrss.exe

T FL AcessMsK Sid
0 00 00020C79 S-1-5-18 SYSTEM

----------------------
0000000000000210 winlogon.exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-32-544 Administrators

----------------------
000000000000025C services.exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-32-544 Administrators

----------------------
000000000000026C lsass.exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-32-544 Administrators

----------------------
00000000000002B4 svchost.exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-42363 LogonSessionId_0_42363
0 00 00001400 S-1-5-32-544 Administrators

----------------------
00000000000002F0 svchost.exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-63646 LogonSessionId_0_63646
0 00 00001400 S-1-5-32-544 Administrators

----------------------
0000000000000354 dwm.exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-90-0-1 DWM-1
0 00 001FFFFF S-1-5-18 SYSTEM

----------------------
00000000000003A8 svchost.exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-67924 LogonSessionId_0_67924
0 00 00001400 S-1-5-32-544 Administrators

----------------------
00000000000003B0 svchost.exe

T FL AcessMsK Sid

0 00 001FFFFF S-1-5-5-0-72026 LogonSessionId_0_72026
0 00 00001400 S-1-5-32-544 Administrators

----------------------
00000000000003D8 svchost.exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-72302 LogonSessionId_0_72302
0 00 00001400 S-1-5-32-544 Administrators

----------------------
00000000000003F0 svchost.exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-75312 LogonSessionId_0_75312
0 00 00001400 S-1-5-32-544 Administrators

----------------------
0000000000000184 WUDFHost.exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-84-0-76843-0-0-0
0 00 00000400 S-1-5-32-544 Administrators

----------------------
0000000000000314 svchost.exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-78668 LogonSessionId_0_78668
0 00 00001400 S-1-5-32-544 Administrators

----------------------
00000000000004BC svchost.exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-84911 LogonSessionId_0_84911
0 00 00001400 S-1-5-32-544 Administrators

----------------------
00000000000004C4 svchost.exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-86762 LogonSessionId_0_86762
0 00 00001400 S-1-5-32-544 Administrators

----------------------
0000000000000528 svchost.exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-89099 LogonSessionId_0_89099
0 00 00001400 S-1-5-32-544 Administrators

----------------------
00000000000005A0 svchost.exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-92315 LogonSessionId_0_92315
0 00 00001400 S-1-5-32-544 Administrators

----------------------
0000000000000718 svchost.exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-136688 LogonSessionId_0_136688
0 00 00001400 S-1-5-32-544 Administrators

----------------------
0000000000000444 WmiPrvSE.exe

T FL AcessMsK Sid

0 00 001FFFFF S-1-5-5-0-144257 LogonSessionId_0_144257
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646
0 00 00100000 S-1-5-18 SYSTEM

----------------------
00000000000006E0 dllhost.exe

T FL AcessMsK Sid

0 00 001FFFFF S-1-5-5-0-146109 LogonSessionId_0_146109
0 00 00001400 S-1-5-32-544 Administrators

----------------------
0000000000000844 VSSVC.exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-157627 LogonSessionId_0_157627
0 00 00001400 S-1-5-32-544 Administrators

----------------------
00000000000008E8 sppsvc.exe

T FL AcessMsK Sid

0 00 001FFFFF S-1-5-5-0-279111 LogonSessionId_0_279111
0 00 00001400 S-1-5-32-544 Administrators

----------------------
00000000000008B4 WmiPrvSE.exe

T FL AcessMsK Sid

0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646
0 00 00100000 S-1-5-18 SYSTEM

----------------------
000000000000092C WmiApSrv.exe

T FL AcessMsK Sid

0 00 001FFFFF S-1-5-5-0-306945 LogonSessionId_0_306945
0 00 00001400 S-1-5-32-544 Administrators

----------------------
00000000000009AC sihost.exe

T FL AcessMsK Sid

0 00 001FFFFF S-1-5-21-1621835565-972595261-354493311-1001 Kelly
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-5-0-315893 LogonSessionId_0_315893

----------------------
0000000000000A64 taskhostw.exe

T FL AcessMsK Sid

0 00 001FFFFF S-1-5-21-1621835565-972595261-354493311-1001 Kelly
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-5-0-315893 LogonSessionId_0_315893

----------------------
0000000000000A38 explorer.exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-21-1621835565-972595261-354493311-1001 Kelly
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-5-0-315893 LogonSessionId_0_315893

----------------------
0000000000000808 RuntimeBroker.exe

T FL AcessMsK Sid

0 00 001FFFFF S-1-5-21-1621835565-972595261-354493311-1001 Kelly
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646
0 00 00100000 S-1-5-18 SYSTEM

----------------------
0000000000000E74 SppExtComObj.Exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-20 NETWORK SERVICE
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646
0 00 00100000 S-1-5-18 SYSTEM

----------------------
0000000000000F88 audiodg.exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-80-2676549577-1911656217-2625096541-4178041876-1366760775 Audiosrv
0 00 00001000 S-1-5-11 Authenticated Users

----------------------
0000000000000BB8 backgroundTaskHost.exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-21-1621835565-972595261-354493311-1001 Kelly
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-5-0-315893 LogonSessionId_0_315893
0 00 001FFFFF S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742

----------------------
0000000000000FB0 conhost.exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-32-544 Administrators
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-5-0-315893 LogonSessionId_0_315893 

look for example on

0000000000000E74 SppExtComObj.Exe

T FL AcessMsK Sid
0 00 001FFFFF S-1-5-20 NETWORK SERVICE
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646
0 00 00100000 S-1-5-18 SYSTEM

say SYSTEM have SYNCHRONIZE (0x00100000) but have not PROCESS_QUERY_LIMITED_INFORMATION (0x1000) or another example

00000000000008B4 WmiPrvSE.exe

T FL AcessMsK Sid

0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646
0 00 00100000 S-1-5-18 SYSTEM

EDIT

demo test on win 8.1 i enable SE_DEBUG_PRIVILEGE and try open processes with PROCESS_QUERY_LIMITED_INFORMATION|SYNCHRONIZE i success open ALL processes in system, including protected when i try open with PROCESS_QUERY_INFORMATION i got errors for next processes:

c0000022 0000000000000004 System
c0000022 0000000000000138 smss.exe
c0000022 00000000000001A8 csrss.exe
c0000022 00000000000001EC csrss.exe
c0000022 0000000000000244 services.exe
c0000022 00000000000005B8 sppsvc.exe

all this is windows protected processes. now i test with open disabled SE_DEBUG_PRIVILEGE. result say by self

----------- try open with PROCESS_QUERY_LIMITED_INFORMATION

c0000022 00000000000001A8 csrss.exe
c0000022 00000000000001EC csrss.exe
c0000022 000000000000033C dwm.exe
c0000022 00000000000005D0 WUDFHost.exe
c0000022 00000000000007E4 WUDFHost.exe

----------- try open with SYNCHRONIZE

c0000022 00000000000001A8 csrss.exe
c0000022 00000000000001EC csrss.exe
c0000022 00000000000002A4 svchost.exe
c0000022 00000000000002C8 svchost.exe
c0000022 0000000000000320 svchost.exe
c0000022 000000000000033C dwm.exe
c0000022 0000000000000358 svchost.exe
c0000022 0000000000000390 svchost.exe
c0000022 00000000000003CC svchost.exe
c0000022 00000000000001E0 svchost.exe
c0000022 00000000000005D0 WUDFHost.exe
c0000022 00000000000007F0 svchost.exe
c0000022 00000000000005B8 sppsvc.exe
c0000022 00000000000007E4 WUDFHost.exe

so fill different with and without SE_DEBUG_PRIVILEGE

however i not catch case when can open with SYNCHRONIZE, but cannot with PROCESS_QUERY_LIMITED_INFORMATION

like image 152
RbMm Avatar answered Oct 23 '22 16:10

RbMm



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!